It appears that there is no end in sight to WhatsApp’s security troubles. A fortnight after it sued the Israeli spyware firm NSO Group for exploiting a VoIP call vulnerability to plant its most sophisticated spyware Pegasus in victims’ phones, Facebook, its parent company, issued an advisory on November 14 warning users that “a specially crafted MP4 file” could do much the same. A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100. [Facebook Advisory] What does this vulnerability allow you to do? Through this vulnerability (CVE-2019-11931), a malicious actor can send a specially crafted MP4 file through WhatsApp, which could then be used to remotely execute a code on your device (RCE) or prohibit you from accessing the service (DoS). It is not immediately clear if this remote code means that sophisticated spyware, such as Pegasus, could also be installed. How dangerous was this vulnerability? As per VulDB (Vulnerability Database), a website that tracks all security vulnerabilities in electronic products, the current exploit price for this vulnerability is $5,000-$25,000. Higher amount indicates greater interest among vulnerability brokers.…
